research notes · independent
v1.0 · 2026-05-17
design sketch · rgb + lightning + btc

Proof‑of‑Settlement:
the layer Utexo's stack quietly unlocks.

Notes on a property that stablecoin rails have been missing — and what a verifiable receipt could look like on RGB + Lightning, anchored to Bitcoin.

@98_AKR 8 min read · 3 figures · 1 schema

Independent research note. Not affiliated with, endorsed by, or representing Utexo, Tether, or any protocol mentioned. All trademarks belong to their respective owners.

§ 01 · the wrong axis

Most stablecoin conversations still center on the wrong question.

Faster USDT.
Cheaper USDT.
USDT on more chains.

Useful work — but it
answers a question
businesses stopped
asking a while ago.

The question that actually blocks enterprise adoption is narrower: can I move stablecoins without exposing my payment graph to competitors, and still produce verifiable evidence of settlement for the people who legitimately need it — finance, compliance, an auditor, a counterparty?

That question doesn't get solved by a faster chain. It gets solved by a different shape of receipt.

Utexo's architecture — Bitcoin as the settlement anchor, Lightning for execution, RGB for private asset validation, an API layer for operators — happens to be one of the few stacks where this shape becomes natural. Not because anyone has built it yet, but because the primitives are already there.

§ 02 · three models

None of today's options give you both privacy and verifiability.

Model A

Public chain
(ETH / TRON)

Verification is trivial — anyone can check the transaction. It also leaks everything: counterparties, balances, payout frequency, treasury patterns.

An open invoice book pinned to a competitor's wall.

Verifiable · Not private
Model B

Custodial
private rail

The outside world sees nothing — but now the operator has to convince everyone settlement happened. Every audit, every dispute resolves through their logs.

If the operator is offline, dishonest, or under subpoena: the proof breaks.

Private · Not verifiable
Model C

Utexo + selective audit

Asset state lives off-chain (RGB, client-side validated). A commitment is anchored to Bitcoin. The settlement event is real and verifiable — the payment graph is not public.

The building blocks for a third option already exist.

Verifiable · Private
§ 03 · the receipt

What a proof-of-settlement receipt actually looks like.

settlement_receipt.json ● ed25519 signed
{
  "version": "1.0",
  "payment_intent_hash": "0x7c2a…f1",
  "asset": "USDT-RGB",
  "amount": "1250.00",
  "status": "settled",
  "timestamp": "2026-05-17T11:42:03Z",
  "rgb_proof_ref": "rgb:utxob:9c…/12",
  "btc_anchor_ref": "btc:tx:8af…:vout:0",
  "policy_checksum": "sha256:e4…91",
  "policy_version": "ut-policy-v3.1",
  "reconciliation_id": "merchant-abc:batch-2026-138",
  "jurisdiction_tag": "EU-MiCA",
  "counterparty_id_commitment": "hmac:…",
  "signature": "ed25519:…"
}

A few things are deliberately not in there. No plain counterparty identifier — only a commitment the counterparty can open to themselves. No amount-by-time history. No wallet address. No fee path.

Four questions, one artifact —

Merchant →"Did this payment settle?"
PSP →"Does this match my books?"
Auditor →"Is the proof chain to Bitcoin valid?"
Compliance →"Was the right policy enforced?"
Settlement Receipt
payment_intent_hash rgb_proof_ref · btc_anchor_ref policy_checksum · status amount · asset · timestamp
Merchant
Needs to confirmpayment settled, amount correct
  • status
  • amount · asset
  • timestamp
  • payment_intent_hash
  • counterparty_id
  • rgb_proof_ref
  • policy_checksum
  • btc_anchor_ref
Verifies: did it settle?
PSP / Operator
Needs to reconcilebatches against own books
  • status
  • amount · asset
  • timestamp
  • payment_intent_hash
  • reconciliation_id
  • policy_checksum
  • counterparty_id
  • rgb_proof_ref
Verifies: do my books match?
Auditor
Needs to provesettlement anchored to Bitcoin
  • status
  • amount · asset
  • timestamp
  • btc_anchor_ref
  • rgb_proof_ref
  • policy_checksum
  • counterparty_id
  • payment_intent_hash
Verifies: is the chain of proof valid?
Compliance
Needs to showinternal rules were applied
  • policy_checksum
  • status
  • timestamp
  • policy_version
  • jurisdiction_tag
  • counterparty_id
  • amount · asset
  • rgb_proof_ref
Verifies: was policy enforced?
visible hidden by policy Fig. 1 Selective audit views — each role queries the same receipt object.

"None of these views require trusting a central operator's database. All resolve against the same signed receipt."

— the selective part
§ 04 · what leaks, what holds

The properties enterprises actually ask about — not TPS.

Bitcoin gives us
the anchor.

RGB gives us off-chain
asset state, client-side
validated.

Lightning gives us
fast execution.

Utexo gives us the
integration layer.

What's missing is the
receipt format.

The honest way to evaluate any settlement model is to put it next to its competitors on the properties enterprises actually ask about — not "TPS" but "what leaks, what can be proven, what costs are predictable."

The column on the right doesn't exist as a product yet. The primitives do. What's missing is the receipt format and the verifier that enforces role-based field visibility — the artifacts payments leave behind, not the payments themselves.

Concern
Property under test
Model A
Public chain (ETH / TRON)
Model B
Custodial private rail
Model C
Utexo + selective audit
Payment graph visible
to outside observers
✗ Fully public
Indexable by anyone.
~ Hidden
But in the operator's logs.
✓ Encrypted
On-chain commitment, off-chain validated.
Trust to verify settlement
happened correctly
✓ Trustless
L1 finality.
✗ Trust operator
Their logs are the proof.
✓ Trustless
Bitcoin anchor.
Merchant can verify
"did the payment land?"
✓ Yes
Via public tx.
✓ Yes
Via operator dashboard.
✓ Yes
Via signed receipt.
Counterparty hidden from
competitors / chain analysts
✗ No
Address graph leaks.
~ Partial
Operator still knows.
✓ Yes
Client-side validation.
Auditor can prove anchor
without seeing payment graph
✗ No
Needs full visibility.
✗ No
Needs operator cooperation.
✓ Yes
Proof package + anchor.
Machine-verifiable receipt
for autonomous agents (x402)
~ Possible
But leaks every call.
✗ Vendor-specific
Proprietary format.
★ Native
Signed by settlement layer.
Selective disclosure
role-based field visibility
✗ No
All-or-nothing.
✗ No
Operator decides ad hoc.
✓ Yes
Enforced by policy_checksum.
Fee predictability
at execution time
✗ No
Congestion-driven.
✓ Yes
Set by operator.
✓ Yes
Fixed at protocol level.
Fig. 2 Read by row — each property is what a CFO, compliance lead, or merchant integration team actually asks before adopting a rail.
§ 05 · machine commerce

For autonomous agents, the receipt is the contract.

Human commerce can
absorb friction:
a dashboard, a CSV,
a PDF export.

Agent commerce
cannot.

There is no human
to look at a
screenshot.

The case for proof-of-settlement gets sharper once you think about x402-style flows — autonomous agents paying APIs, data feeds, storage, compute.

If an agent buys a hundred API calls per minute, the only sustainable model is one where the agent gets back a signed receipt for each settlement, the API verifies it locally with no round-trip to a central operator, and the agent's owner can later reconcile and audit those receipts without exposing the full call graph to anyone else.

→ 01–02
402 Payment Required

Agent hits the API. Provider responds with price · asset · payment_intent.

→ 03–04
Submit · Anchor

Signed intent goes to Utexo. Settlement layer commits to Bitcoin.

→ 05–06
Receipt back

Signed settlement receipt returned with btc_anchor_ref · rgb_proof_ref · sig.

→ 07–08
Verify locally

Provider verifies the signature + anchor — no phone-home, no operator trust.

AI Agent
API Provider
Utexo Settlement
Verifier (any party)
01GET /resource
no auth, no payment
02402 Payment Required
price · asset · payment_intent
03submit signed intent
intent_hash · policy_ref · RGB asset
04 execute · anchor commit to Bitcoin
05signed Settlement Receipt
btc_anchor_ref · rgb_proof_ref · sig
06GET /resource
X-Payment-Receipt: …
07verify_receipt(receipt)
check sig · anchor · policy_checksum
08200 OK · resource delivered
receipt logged for reconciliation
Key property — any party (API, auditor, third-party verifier) can independently confirm settlement from the receipt alone, without re-querying the agent or trusting the API operator's logs.
Fig. 3 Agent-to-API payment flow with verifiable receipt — an x402-style call where the receipt is the contract, not the screenshot.
§ 06 · what it unlocks

The harder, more durable half of the story.

USDT on Bitcoin,
private and fast.

That's the easy half.

The pinned narrative — "USDT on Bitcoin, private and fast" — is true. But it's the easy half. The harder, more durable half is selective auditability: the property Utexo's stack makes possible and that public chains structurally can't deliver.

It's what lets a payroll provider use Utexo without their salary brackets becoming chain-analytic data. It's what lets an exchange route OTC settlement without the desk's flow leaking. It's what makes agentic commerce billable, auditable, and trust-minimised in the same flow.

The primitives are already in the docs. The receipt format isn't standardised yet — which means there is still a window for it to be specified well, in the open, before each operator invents an incompatible version.

One artifact. Many verifiers.

A draft receipt schema. A reference verifier. A small SDK that lets developers issue and check receipts against role-based policies. That's the layer that turns a stablecoin settlement network into actual financial infrastructure.

Read the schema → Discuss on X